Description
In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading
permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N.  Thanks Youssef Eid for reporting
Published: 2026-05-21
Score: 6.3 Medium
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The submit_password() method in Concrete CMS 9.5.0 and earlier bypasses the view_file permission check, allowing any user to download files regardless of authorization. Files without passwords can be retrieved directly, and password‑protected files can be downloaded if the attacker knows the password, irrespective of the user's permissions. This missing‑authorization vulnerability (CWE‑862) enables unauthorized disclosure of file contents. The CVE description states that the download permission check is bypassed when downloading files protected by a password or restricted by a view_file permission.

Affected Systems

Concrete CMS: Concrete CMS, version 9.5.0 and all earlier releases are affected.

Risk and Exploitability

The CVSS score of 6.3 indicates a moderate severity flaw. The EPSS score is not available, and the vulnerability is not listed in CISA KEV. The likely attack vector is remote over the network where an attacker accesses the /concrete/controllers/single_page/download_file.php endpoint. An attacker who identifies a file's password can download that file even if they lack proper permissions. The vulnerability can be exploited without needing elevated privileges or pre‑existing user access, relying solely on knowledge of file passwords and the existence of the download endpoint.

Generated by OpenCVE AI on May 21, 2026 at 22:53 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Concrete CMS to a release newer than 9.5.0 when it becomes available.
  • Configure server‑side access controls or .htaccess rules to restrict the download_file controller to authenticated and authorized users only.
  • Monitor download_file activity and audit file access logs for signs of unauthorized downloads.

Generated by OpenCVE AI on May 21, 2026 at 22:53 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 26 May 2026 13:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:concretecms:concrete_cms:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}

Fri, 22 May 2026 14:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 21 May 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Concretecms
Concretecms concrete Cms
Vendors & Products Concretecms
Concretecms concrete Cms

Thu, 21 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description In Concrete CMS 9.5.0 and below,  the submit_password() method in concrete/controllers/single_page/download_file.php allows unauthorized file access since downloading permission-restricted files bypasses the view_file permission check. Files without passwords can be downloaded and any user who knows a file's password can download a password protected file regardless of whether they have permission to access the file. The Concrete CMS security team gave this vulnerability a CVSS v.4.0 score of 6.3 with vector CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N.  Thanks Youssef Eid for reporting
Title Concrete CMS 9.5.0 and below is vulnerable to File Download Authorization Bypass in submit_password()
Weaknesses CWE-862
References
Metrics cvssV4_0

{'score': 6.3, 'vector': 'CVSS:4.0/AV:N/AC:H/AT:P/PR:N/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N'}

Subscriptions

Concretecms Concrete Cms
cve-icon MITRE

Status: PUBLISHED

Assigner: ConcreteCMS

Published:

Updated: 2026-05-22T13:15:14.670Z

Reserved: 2026-05-05T18:01:25.067Z

Link: CVE-2026-7879

cve-icon Vulnrichment

Updated: 2026-05-22T13:15:11.192Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-21T22:16:48.777

Modified: 2026-05-22T19:18:46.720

Link: CVE-2026-7879

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T23:00:14Z

Weaknesses